Structure of Case File

Case # Case Files

Image dd image Hash code

Case Index FTK

Report Doc Recovered files E-mails Photos Etc.

Forensic Work Station

Clean install of the OS Clean install of all apps Clean install of all forensic packages Keep all evidence and case related info on

an external clean hard drive After case is “completed” physically archive

the external hard drive Wipe the operational hard drive

HD Data AcquisitionImaging the Hard Drive

1. Acquisition Layers2. Write Blockers3. Media Preparation4. Imaging5. Integrity Hashes

Imaging Digital Media

Hash the media Make an exact copy of the media

Everything Errors, deleted stuff

Hash the image Prove it is an exact copy

Compare with hash of the original MD5, SHA1, SHA256

Acquisition Layers

Device Physical LayerPartition Logical LayerFile Logical Layer

Always acquire data at the lowest possible layer. Acquire every sector on the disk. Your tools can abstract the raw data at any level.

Acquisition Tools

1. Know what your tools do2. Test them3. Validate them

Test plan Test report

NIST - http://www.cftt.nist.gov/disk_imaging.htmhttp://nij.ncjrs.gov/publications/Pub_search.asp?

category=99&searchtype=basic&location=top&PSID=55&sort=date#nijpubs

Imaging Hardware Setup

ForensicsWorkstation

WriteBlocker

SuspectMedia

ForensicStorage

External

Write Blockers

Cannot touch the suspect media Evidence cannot be altered Important to verify

Test, test, test Hardware and Software

Always use hardware Be careful of read only and read/write blockers

Write Blockers

1. HW1. Paraben

$249.95 - $20002. Tableau

$249.95 - $20002. SW

Modifies interrupt table3. NIST Reports

1. ttp://www.cftt.nist.gov/software_write_block.htm

Write BlockerTableau T8

Inputs USB

Outputs USB, Firewire

USB Device

Write Blocker On/Off Switch

Write Blocker

On/Off Switch

IDE Device

SATA Cable

Inputs IDE, SATA

Outputs USB, Firewire

Write BlockerTableau T35e

Write BlockerParaben

Inputs IDE

Outputs USB, Firewire

IDE Device

Write Blocker

On/Off Switch

Case Storage Media Preparation

External hard drive storage Zero all sectors 32 bit checksum = 0

32 bit sum with carry bit added Use WinHex

Partition Format NTFS

Particulars

Start up Helix live CD Zero drive

dd if=/dev/zero of=/dev/sdb Partition Drive

fdisk /dev/sdb Etc.

mkntfs /dev/sdb

Imaging

Exact copy of drive Cannot be changed Must be verifiable HW/SW

Reading the Source

1. Read device directly Extended INT13h

2. Use the BIOS May lie about the size INT13h

3. Dead vs Live acquisition4. Error handling

1. logging, bad blocks

Imaging Apps

FTK Imager Bootable memory stick

EnCase WinHex Open Source

dd – Windows (Garner), linux Helix

Defense Computer Forensic Labs dcfldd dc3dd

Output Format of Image

1. Separate drive1. A single file – ease of use2. Multiple files – facilitate archiving on DVDs

1. 160 Gbytes ~~ 27 DVDs

2. Raw or Custom dd can be interpreted by every thing EnCase has imbedded info

3. Hash codes & errors1. Interlaced

EnCase saves in a proprietary format

2. Separate filedcfldd save hashes in a separate file

3. Nothingdd save hash in a separate fileCan calculate an MD5 hash

Image Formats

dd – Raw bit for bit copy .001

E01 – EnCase format Includes file description, hashes, etc. .e01 Uses zLib compression

AD1 – AccessData Custom Content Logical Image S01 – SMART linux formats

SMART format

Integrity Hashes

1. CRC, MD5, SHA, SHA1, SHA2562. By device3. By partition4. By sector

dd

Standard on all linux distros Windows

http://gmgsystemsinc.com/fau/ Create a directory at root level

C:\bin Add that path to your path environment variable

Control Panel\System Properties\environment variables\system variables\path – editAppend C:\bin

Add sysinternals

Using dd

Unix command structure

Included with all Unix/Linux/BSD distroshttp://unxutils.sourceforge.net/

Windows version is availablehttp://www.gmgsystemsinc.com/fau/

#dd input output options

#dd if=suspect.drive of=E:\Case\image\captured

Input Sources

Linux

/dev/hda – ATAPI device/dev/sda – SCSI device/dev/fd0 - Floppy/dev/mem - RAM

Windows

\\.\PhysicalDevice0 – IDE bus 0 master device\\.\PhysicalMemory - RAM

Output Sources

Windows

F:\Images\Case-08001

Linux on another drive internal

/dev/hdb1 – Saved onto the slave drive on IDE bus 1

Usually an external USB hard drive is mounted

/media/FlashDisk/hda-evidence.data

Options

bs=n, ibs, obs Block size is n bytes, in or out or both

skip=nSkip n blocks

count=n Copy n blocks

Must declare block size prior to skip/count

#dd if=/dev/sda1 of=/root/lynn.dd bs=4096 count=1

Example

#dd if=/dev/sda1 of=/home/lynn/example.dd bs=512 count=10000000: eb3c 904d 5344 4f53 352e 3000 0204 0100 .<.MSDOS5.0.....0000010: 0200 0200 00f8 ff00 3f00 ff00 3f00 0000 ........?...?...0000020: dfe7 0300 8001 2905 8f93 804e 4f20 4e41 ......)....NO NA0000030: 4d45 2020 2020 4641 5431 3620 2020 33c9 ME FAT16 3.0000040: 8ed1 bcf0 7b8e d9b8 0020 8ec0 fcbd 007c ....{.... .....|0000050: 384e 247d 248b c199 e83c 0172 1c83 eb3a 8N$}$....<.r...:0000060: 66a1 1c7c 2666 3b07 268a 57fc 7506 80ca f..|&f;.&.W.u...0000070: 0288 5602 80c3 1073 eb33 c98a 4610 98f7 ..V....s.3..F...0000080: 6616 0346 1c13 561e 0346 0e13 d18b 7611 f..F..V..F....v.0000090: 6089 46fc 8956 feb8 2000 f7e6 8b5e 0b03 `.F..V.. ....^..00000a0: c348 f7f3 0146 fc11 4efe 61bf 0000 e8e6 .H...F..N.a.....00000b0: 0072 3926 382d 7417 60b1 0bbe a17d f3a6 .r9&8-t.`....}..00000c0: 6174 324e 7409 83c7 203b fb72 e6eb dca0 at2Nt... ;.r....00000d0: fb7d b47d 8bf0 ac98 4074 0c48 7413 b40e .}.}....@t.Ht...00000e0: bb07 00cd 10eb efa0 fd7d ebe6 a0fc 7deb .........}....}.00000f0: e1cd 16cd 1926 8b55 1a52 b001 bb00 00e8 .....&.U.R......0000100: 3b00 72e8 5b8a 5624 be0b 7c8b fcc7 46f0 ;.r.[.V$..|...F.0000110: 3d7d c746 f429 7d8c d989 4ef2 894e f6c6 =}.F.)}...N..N..0000120: 0696 7dcb ea03 0000 200f b6c8 668b 46f8 ..}..... ...f.F.0000130: 6603 461c 668b d066 c1ea 10eb 5e0f b6c8 f.F.f..f....^...0000140: 4a4a 8a46 0d32 e4f7 e203 46fc 1356 feeb JJ.F.2....F..V..0000150: 4a52 5006 536a 016a 1091 8b46 1896 9233 JRP.Sj.j...F...30000160: d2f7 f691 f7f6 4287 caf7 761a 8af2 8ae8 ......B...v.....0000170: c0cc 020a ccb8 0102 807e 020e 7504 b442 .........~..u..B0000180: 8bf4 8a56 24cd 1361 6172 0b40 7501 4203 ...V$..aar.@u.B.0000190: 5e0b 4975 06f8 c341 bb00 0060 666a 00eb ^.Iu...A...`fj..00001a0: b04e 544c 4452 2020 2020 2020 0d0a 6720 .NTLDR ..g 00001b0: 5379 7374 656d 206d 6973 7369 6e67 ff0d System missing..00001c0: 0a44 6973 6b20 6572 726f 72ff 0d0a 5072 .Disk error...Pr00001d0: 6573 7320 616e 7920 6b65 7920 746f 2072 ess any key to r00001e0: 6573 7461 7274 0d0a 0000 0000 0000 0000 estart..........00001f0: 0000 0000 0000 0000 0000 00ac bfcc 55aa ..............U.

Md5 Hash

#dd if=/dev/sda1 bs=512 count=1 | md5sum > hash.txt

#cat hash.txt

D41d8cd98f00b204e9800998ecf8427e

#dd if=/dev/sda1 bs=512 count=1 | sha1sum > hash.txt

#cat hash.txt

d41d8cd98f00b204e9800998ecf8427e

dcfldd

Very much like dddcfldd if=/dev/mem of=/home/image conv=noerror bs=4096 \errlog=error_log1 \hash=md5 hashwindow=4096 hashlog=hash_dmp1 \hashformat="#hash#" >> report

However lets you make multiple copis of the image

dcfldd if=/dev/mem of=/home/image of=/media/storage/image2

Bad Sectors

Bad Sectors are treated differently Hashes may be different Some imagers zero fill One hash is calculated by ignoring the sector The other using the zero fill after imaging

Hard to explain in court

Remedies

dclfdd conv=noerror,sync

This converts bad sectors to zeroes Continues if an error is encounter

hashconv=after This calcs the hash after the conversion for the device hash Can be questioned in court

Hard to explain in court Better solution

Use small hash window Compare all the hashes of the small chuncks

Hashwindow=1M hashlog=hash-dump Show that on the bad sector hashes don’t agree

dc3dd

Makes dd similar to dcfldd Written Jesse Kornblum Maintained by DoD Cyber Crime Center

dcfldd if=/dev/mem of=/home/image conv=noerror bs=4096 \errlog=error_log1 \hash=md5 hashwindow=4096 hashlog=hash_dmp1 \hashformat="#hash#" >> report

• Pattern writes. • Piecewise and overall hashing with multiple algorithms and variable size windows. Supports MD5, SHA-1,

SHA-256, and SHA-512. • Progress meter with automatic input/output file size probing• Combined log for hashes and errors • Error grouping. Produces one error message for identical sequential errors • Verify mode. • Ability to split the output into chunks with numerical or alphabetic extensions

dd_rescue

Sort of like dd However some of the options are not called

the same Ddrescue

Copies data from one device to anotherAttempts to correct block errorsUsually does a really good jobCan take a long time if the drive is hosed

Not forensically sound

ddrescue (GNU)

Sort of like dd_rescue However some of the options are not called

the same ddrescue

Copies data from one device to anotherAttempts to correct block errorsUsually does a really good jobCan take a long time if the drive is hosed

Not forensically sound

Builds WinHex Very good hexadecimal editor $300

And X- Forensics Ways Excellent Forensics package $1000

X-Ways Software Technology AG

Access Data Corp.

FTK – Forensics Tool Kit 1.70, 1.72, 1.80, 2.0, 2.2, 3.2 $3000 - 4000

PRTK – Password Recovery Toolkit Registry Viewer FTK Imager

Free

Spinrite

Fast Accurate Does over write the

drive Not forensically sound Great if you are

desperate Recovers a lot of data

off of an injured drive $89.00

Lab Today

Dry Run Use dd on the hard drive in the workstation

Only capture the first 100 sectors or so Look at the image in WinHex Save it, you will need it next week